Bug 1504090 - [RFE] Kuryr-kubernetes NetworkPolicy support
Summary: [RFE] Kuryr-kubernetes NetworkPolicy support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.2.0
Assignee: Luis Tomas Bolivar
QA Contact: GenadiC
URL:
Whiteboard:
Depends On:
Blocks: 1651222
TreeView+ depends on / blocked
 
Reported: 2017-10-19 13:39 UTC by Antoni Segura Puimedon
Modified: 2019-10-31 07:43 UTC (History)
8 users (show)

Fixed In Version: openstack-kuryr-kubernetes-0.6.2-0.20190305141049.a019712.el8ost
Doc Type: Release Note
Doc Text:
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. Kuryr implements network policies by creating a security group for each policy and several rules into it depending on the network policy spec. To enable network policies in kuryr, several handlers must be enabled: - The namespace handler to create a Neutron Network per namespace - The policy handler that is in charge of acting upon network policy CRUD actions - The pod_label handler that reacts to changes in pod labels that are referred by NPs - The kuryrnetpolicy handler that keeps track of kuryr CRDs associated to NPs
Clone Of:
Environment:
Last Closed: 2019-09-21 11:15:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 573616 0 None MERGED Create network policy handler and driver 2020-12-22 15:07:01 UTC
OpenStack gerrit 583540 0 None MERGED Implement NP SG create/delete actions 2020-12-22 15:07:02 UTC
OpenStack gerrit 589521 0 None MERGED Add Network Policy tests 2020-12-22 15:07:01 UTC
OpenStack gerrit 590304 0 None MERGED Add a new gate for network policies 2020-12-22 15:06:59 UTC
OpenStack gerrit 603618 0 None NEW Add network policy security group rules tests 2020-12-22 15:07:02 UTC
OpenStack gerrit 605150 0 None MERGED Support network policy update 2020-12-22 15:07:34 UTC
OpenStack gerrit 608616 0 None MERGED Add security groups driver for NP 2020-12-22 15:07:01 UTC
OpenStack gerrit 611606 0 None MERGED Ensure namespace and network policy compatibility 2020-12-22 15:07:03 UTC
OpenStack gerrit 616261 0 None MERGED Ensure existing pods use the right network policy 2020-12-22 15:07:35 UTC
OpenStack gerrit 616638 0 None MERGED Remove np spec from kuryrnetworkpolicy annotations 2020-12-22 15:07:01 UTC
OpenStack gerrit 618521 0 None MERGED Ensure pod relabeling is supported by the Network Policy 2020-12-22 15:07:36 UTC
OpenStack gerrit 619632 0 None MERGED Add namespaceSelector support for NetworkPolicies 2020-12-22 15:07:36 UTC
OpenStack gerrit 620572 0 None ABANDONED Add support for matchExpressions 2020-12-22 15:07:04 UTC
OpenStack gerrit 622965 0 None MERGED Fix labels encode 2020-12-22 15:07:05 UTC
OpenStack gerrit 623554 0 None MERGED Add support for podSelector 2020-12-22 15:07:05 UTC
OpenStack gerrit 624065 0 None MERGED Ensure pod_label handler skips host_network pods 2020-12-22 15:07:37 UTC
OpenStack gerrit 625588 0 None MERGED Update CRD when NP has podSelectors 2020-12-22 15:07:05 UTC
OpenStack gerrit 625668 0 None MERGED Avoid raising ResourceNotReady exception at pod label handler 2020-12-22 15:07:06 UTC
OpenStack gerrit 626887 0 None MERGED Handle loadbalancer SGs are created when sg_mode is create 2020-12-22 15:07:04 UTC
OpenStack gerrit 627175 0 None MERGED Add Network Policy support to services 2020-12-22 15:07:06 UTC
OpenStack gerrit 627850 0 None MERGED Update CRD when NP has namespaceSelectors 2020-12-22 15:07:08 UTC
OpenStack gerrit 628436 0 None MERGED Fix NP creation when it has namespaceSelector 2020-12-22 15:07:06 UTC
OpenStack gerrit 629486 0 None MERGED Ensure reaction to svc target-port update 2020-12-22 15:07:07 UTC
OpenStack gerrit 629856 0 None MERGED Ensure NP changes are applied to services 2020-12-22 15:07:07 UTC
OpenStack gerrit 630158 0 None MERGED Fix Network Policy documentation 2020-12-22 15:07:05 UTC
OpenStack gerrit 630954 0 None MERGED Fix CRD update on pod creation 2020-12-22 15:07:05 UTC
OpenStack gerrit 631230 0 None MERGED Fix CRD update when NP has namespaceSelectors 2020-12-22 15:07:08 UTC
OpenStack gerrit 631781 0 None MERGED Revert "Ensure reaction to svc target-port update" 2020-12-22 15:07:40 UTC
OpenStack gerrit 633995 0 None MERGED Fix unused members deletion 2020-12-22 15:07:08 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:16:08 UTC

Description Antoni Segura Puimedon 2017-10-19 13:39:25 UTC
Description of problem:
In order to implement security in OpenShift cluster namespaces, there is the NetworkPolicy object which allows you to define ingress and egress policies that apply to a selector, i.e., a set of pods that share one or more labels.

Kuryr only supports security by means of specifying the Security Groups that apply to the Pods but not this native OpenShift way.

This feature request is about closing this feature gap and allowing users to leverage the power of NetworkPolicy objects and have them transparently mapped to security groups.

Steps to Reproduce:
1. Create a NetworkPolicy object

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: backend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978
2. Create a neutron network and subnet 172.17.0.0/16 and place a VM there
3. Attache the subnet to the openshift cluster router
4. oc run --image=celebdor/kuryr-demo --labels="tier=backend"
5. oc get po
6. from the VM at 172.17.0.0/16 curl the IP of the pod with port 8080

Actual results:
No response from the pod due to Security Groups

Expected results:
THe network policy is translated to security group changes to the matching pods and the response of the Pod HTTP server makes it back to the VM.

Comment 16 errata-xmlrpc 2019-09-21 11:15:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811


Note You need to log in before you can comment on or make changes to this bug.